This chatty Samsung phone is spilling all the goods on its owner's travels—without even being asked.

Sean Gallagher

Every time you use Google or Apple mobile location services, you’re not just telling the services where you are. You’re also shouting many of the places you’ve been to anyone who happens to be listening around you—at least if you follow Google’s and Apple’s advice and turn on Wi-Fi for improved accuracy.

Wi-Fi is everywhere. And because of its ubiquity, Wi-Fi access points have become the navigational beacons of the 21st century, allowing location-based services on mobile devices to know exactly where you are. But thanks to the way Wi-Fi protocols work, mapping using Wi-Fi is a two-way street—just as your phone listens for information about networks around it to help you find your way, it is shouting out the name of every network it remembers you connecting to as long as it remains unconnected.

An unpatched vulnerability in Yosemite and some earlier versions of Apple's Mac OS X allows untrusted people to take full control of users' machines, a security researcher has warned.

Dubbed Rootpipe, the privilege escalation bug allows people to gain root access, a nearly unrestricted level of system privileges, without first entering the "sudo" password, according to a recent report published by MacWorld. Sudo is a mechanism that's designed to prevent code execution, file deletions, and other sensitive operations from being carried out by unauthorized people who have physical access to a computer.

"Normally there are 'sudo' password requirements, which work as a barrier, so the admin can't gain root access without entering the correct password," Emil Kvarnhammar, a researcher at Swedish security firm Truesec, told Macworld. "It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it."

Google puts down POODLE, now wants to eradicate breedRegisterAndroid's security bod used the tool for "some time" and released it after working with developers to help lift their app infosec game. "But we want the use of TLS/SSL to advance as quickly as possible," Brubaker said. He called for the community to ...and more »

LinuxSecurity.com: An updated mod_auth_mellon package that fixes two security issues is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]

LinuxSecurity.com: Updated shim packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]

LinuxSecurity.com: Updated cups-filters packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]

Underscoring just how broken the widely used MD5 hashing algorithm is, a software engineer racked up just 65 cents in computing fees to replicate the type of attack a powerful nation-state used in 2012 to hijack Microsoft's Windows Update mechanism.

Nathaniel McHugh ran open source software known as HashClash to modify two separate images—one of them depicting funk legend James Brown and the other R&B singer/songwriter Barry White—that generate precisely the same MD5 hash, e06723d4961a0a3f950e7786f3766338. The exercise—known in cryptographic circles as a hash collision—took just 10 hours and cost only 65 cents plus tax to complete using a GPU instance on Amazon Web Service. In 2007, cryptography expert and HashClash creator Marc Stevens estimated it would require about one day to complete an MD5 collision using a cluster of PlayStation 3 consoles.

The MD5 hash for this picture—e06723d4961a0a3f950e7786f3766338—is precisely the same for the one below. Such "collisions" are a fatal flaw for hashing algorithms and can lead to disastrous attacks.

The practical ability to create two separate inputs that generate the same hash is a fundamental flaw that makes MD5 unsuitable for most purposes. (The exception is password hashing. Single iteration MD5 hashing is horrible for passwords but for an entirely different reason that is outside the scope of this post.) The susceptibility to collisions can have disastrous consequences, potentially for huge swaths of the Internet.

A former teen hacker who stole nude photos from Paris Hilton’s cellphone
and swiped a half million dollars from unsuspecting consumers tells NBC
News – and his most famous victim -- that he’s sorry for what he did.

The Defense Information Systems Agency currently offers its military
customers certified cloud computing services from three vendors and has
another seven under assessment for compliance with governmentwide security
standards, top agency officials told Nextgov.

Contactless credit cards are a hit in the UK. But a British research team
has revealed a serious security flaw that allows anyone to charge up to
$999,999.99 in foreign currency to a nearby card, even while it's still in
a wallet or purse.

The US healthcare industry has embraced its digital future — and that
future is dependent on the Internet. The passage and implementation of
recent legislation has mandated the adoption of connected healthcare
technology as a way to reduce costs, increase patient privacy, and improve
care collaboration and...

Some of the most widely used messaging apps in the world, including Google
Hangouts, Facebook chat, Yahoo Messenger and Snapchat, flunked a
best-practices security test by advocacy group the Electronic Frontier
Foundation (EFF).